CVE-2012-0884
openssl: CMS and PKCS#7 Bleichenbacher attack
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
La implementación de Cryptographic Message Syntax (CMS) y PKCS #7 de OpenSSL anteriores a 0.9.8u y 1.x anteriores a 1.0.0h no restringe apropiadamente un determinado uso de información posterior ("oracle behavior"), lo que facilita a atacantes dependientes del contexto desencriptar datos a través de un ataque de tipo "Million Message Attack (MMA) adaptive chosen ciphertext".
OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. A flaw was found in the PKCS#7 and Cryptographic Message Syntax implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2012-01-19 CVE Reserved
- 2012-03-12 CVE Published
- 2024-08-06 CVE Updated
- 2025-08-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-310: Cryptographic Issues
CAPEC
References (25)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/48580 | Third Party Advisory | |
| http://secunia.com/advisories/48895 | Third Party Advisory | |
| http://secunia.com/advisories/48916 | Third Party Advisory | |
| http://secunia.com/advisories/57353 | Third Party Advisory | |
| http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564 | X_refsource_confirm | |
| http://www.kb.cert.org/vuls/id/737740 | Third Party Advisory |
|
| https://downloads.avaya.com/css/P8/documents/100162507 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | <= 0.9.8t Search vendor "Openssl" for product "Openssl" and version " <= 0.9.8t" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.0b Search vendor "Openssl" for product "Openssl" and version "0.9.0b" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.1b Search vendor "Openssl" for product "Openssl" and version "0.9.1b" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.1c Search vendor "Openssl" for product "Openssl" and version "0.9.1c" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.2b Search vendor "Openssl" for product "Openssl" and version "0.9.2b" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.3 Search vendor "Openssl" for product "Openssl" and version "0.9.3" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.3a Search vendor "Openssl" for product "Openssl" and version "0.9.3a" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.4 Search vendor "Openssl" for product "Openssl" and version "0.9.4" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.5 Search vendor "Openssl" for product "Openssl" and version "0.9.5" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.5a Search vendor "Openssl" for product "Openssl" and version "0.9.5a" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6 Search vendor "Openssl" for product "Openssl" and version "0.9.6" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6a Search vendor "Openssl" for product "Openssl" and version "0.9.6a" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6b Search vendor "Openssl" for product "Openssl" and version "0.9.6b" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6c Search vendor "Openssl" for product "Openssl" and version "0.9.6c" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6d Search vendor "Openssl" for product "Openssl" and version "0.9.6d" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6e Search vendor "Openssl" for product "Openssl" and version "0.9.6e" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6f Search vendor "Openssl" for product "Openssl" and version "0.9.6f" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6g Search vendor "Openssl" for product "Openssl" and version "0.9.6g" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6h Search vendor "Openssl" for product "Openssl" and version "0.9.6h" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6i Search vendor "Openssl" for product "Openssl" and version "0.9.6i" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6j Search vendor "Openssl" for product "Openssl" and version "0.9.6j" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6k Search vendor "Openssl" for product "Openssl" and version "0.9.6k" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6l Search vendor "Openssl" for product "Openssl" and version "0.9.6l" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.6m Search vendor "Openssl" for product "Openssl" and version "0.9.6m" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7 Search vendor "Openssl" for product "Openssl" and version "0.9.7" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7a Search vendor "Openssl" for product "Openssl" and version "0.9.7a" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7b Search vendor "Openssl" for product "Openssl" and version "0.9.7b" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7c Search vendor "Openssl" for product "Openssl" and version "0.9.7c" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7d Search vendor "Openssl" for product "Openssl" and version "0.9.7d" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7e Search vendor "Openssl" for product "Openssl" and version "0.9.7e" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7f Search vendor "Openssl" for product "Openssl" and version "0.9.7f" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7g Search vendor "Openssl" for product "Openssl" and version "0.9.7g" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7h Search vendor "Openssl" for product "Openssl" and version "0.9.7h" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7i Search vendor "Openssl" for product "Openssl" and version "0.9.7i" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7j Search vendor "Openssl" for product "Openssl" and version "0.9.7j" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7k Search vendor "Openssl" for product "Openssl" and version "0.9.7k" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7l Search vendor "Openssl" for product "Openssl" and version "0.9.7l" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.7m Search vendor "Openssl" for product "Openssl" and version "0.9.7m" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8 Search vendor "Openssl" for product "Openssl" and version "0.9.8" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8a Search vendor "Openssl" for product "Openssl" and version "0.9.8a" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8b Search vendor "Openssl" for product "Openssl" and version "0.9.8b" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8c Search vendor "Openssl" for product "Openssl" and version "0.9.8c" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8d Search vendor "Openssl" for product "Openssl" and version "0.9.8d" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8e Search vendor "Openssl" for product "Openssl" and version "0.9.8e" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8f Search vendor "Openssl" for product "Openssl" and version "0.9.8f" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8g Search vendor "Openssl" for product "Openssl" and version "0.9.8g" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8h Search vendor "Openssl" for product "Openssl" and version "0.9.8h" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8i Search vendor "Openssl" for product "Openssl" and version "0.9.8i" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8j Search vendor "Openssl" for product "Openssl" and version "0.9.8j" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8k Search vendor "Openssl" for product "Openssl" and version "0.9.8k" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8l Search vendor "Openssl" for product "Openssl" and version "0.9.8l" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8m Search vendor "Openssl" for product "Openssl" and version "0.9.8m" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8n Search vendor "Openssl" for product "Openssl" and version "0.9.8n" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8o Search vendor "Openssl" for product "Openssl" and version "0.9.8o" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8p Search vendor "Openssl" for product "Openssl" and version "0.9.8p" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8q Search vendor "Openssl" for product "Openssl" and version "0.9.8q" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8r Search vendor "Openssl" for product "Openssl" and version "0.9.8r" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 0.9.8s Search vendor "Openssl" for product "Openssl" and version "0.9.8s" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0 Search vendor "Openssl" for product "Openssl" and version "1.0.0" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0a Search vendor "Openssl" for product "Openssl" and version "1.0.0a" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0b Search vendor "Openssl" for product "Openssl" and version "1.0.0b" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0c Search vendor "Openssl" for product "Openssl" and version "1.0.0c" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0d Search vendor "Openssl" for product "Openssl" and version "1.0.0d" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0e Search vendor "Openssl" for product "Openssl" and version "1.0.0e" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0f Search vendor "Openssl" for product "Openssl" and version "1.0.0f" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | 1.0.0g Search vendor "Openssl" for product "Openssl" and version "1.0.0g" | - |
Affected
| ||||||